replace hardcoded aws partition in ARNs with ${AWS::Partition}

ec2/al2-mutable-private.yaml

@@ -868,7 +868,7 @@ Resources:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
           Resource:
-          - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   VirtualMachine: # TODO make IMDSv2 required (waits for https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/655)
     Type: 'AWS::EC2::Instance'
     Metadata:
@@ -1156,7 +1156,7 @@ Resources:
       ComparisonOperator: GreaterThanThreshold
       Threshold: 0
       AlarmActions:
-      - !Sub 'arn:aws:automate:${AWS::Region}:ec2:recover'
+      - !Sub 'arn:${AWS::Partition}:automate:${AWS::Region}:ec2:recover'
       Dimensions:
       - Name: InstanceId
         Value: !Ref VirtualMachine

ec2/al2-mutable-public.yaml

@@ -877,7 +877,7 @@ Resources:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
           Resource:
-          - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   VirtualMachine: # TODO make IMDSv2 required (waits for https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/issues/655)
     DependsOn: EIPAssociation
     Type: 'AWS::EC2::Instance'
@@ -1166,7 +1166,7 @@ Resources:
       ComparisonOperator: GreaterThanThreshold
       Threshold: 0
       AlarmActions:
-      - !Sub 'arn:aws:automate:${AWS::Region}:ec2:recover'
+      - !Sub 'arn:${AWS::Partition}:automate:${AWS::Region}:ec2:recover'
       Dimensions:
       - Name: InstanceId
         Value: !Ref VirtualMachine

ecs/cluster-cost-optimized.yaml

@@ -292,7 +292,7 @@ Resources:
             - 'ecs:SubmitContainerStateChange'
             - 'ecs:SubmitTaskStateChange'
             - 'ecs:ListContainerInstances'
-            Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}'
+            Resource: !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}'
       - PolicyName: ecs-cluster-instance
         PolicyDocument:
           Version: '2012-10-17'
@@ -304,11 +304,11 @@ Resources:
             - 'ecs:UpdateContainerInstancesState'
             - 'ecs:ListTasks'
             - 'ecs:DescribeContainerInstances'
-            Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:container-instance/*'
+            Resource: !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:container-instance/*'
             Condition:
               'StringEquals':
                 'ecs:cluster':
-                  !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}'
+                  !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}'
       - PolicyName: ecr
         PolicyDocument:
           Version: '2012-10-17'
@@ -351,7 +351,7 @@ Resources:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
           Resource:
-          - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   ALBSecurityGroup:
     Type: 'AWS::EC2::SecurityGroup'
     Properties:

ecs/cluster.yaml

@@ -325,7 +325,7 @@ Resources:
             - 'ecs:SubmitContainerStateChange'
             - 'ecs:SubmitTaskStateChange'
             - 'ecs:ListContainerInstances'
-            Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}'
+            Resource: !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}'
       - PolicyName: ecs-cluster-instance
         PolicyDocument:
           Version: '2012-10-17'
@@ -337,11 +337,11 @@ Resources:
             - 'ecs:UpdateContainerInstancesState'
             - 'ecs:ListTasks'
             - 'ecs:DescribeContainerInstances'
-            Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:container-instance/*'
+            Resource: !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:container-instance/*'
             Condition:
               'StringEquals':
                 'ecs:cluster':
-                  !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}'
+                  !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}'
       - PolicyName: ecr
         PolicyDocument:
           Version: '2012-10-17'
@@ -384,7 +384,7 @@ Resources:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
           Resource:
-          - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   ALBSecurityGroup:
     Type: 'AWS::EC2::SecurityGroup'
     Properties:
@@ -1185,13 +1185,13 @@ Resources:
           Statement:
           - Effect: Allow
             Action: 'ecs:ListContainerInstances'
-            Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}'
+            Resource: !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}'
           - Effect: Allow
             Action: 'ecs:DescribeContainerInstances'
             Resource: '*'
             Condition:
               ArnEquals:
-                'ecs:cluster': !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}'
+                'ecs:cluster': !Sub 'arn:${AWS::Partition}:ecs:${AWS::Region}:${AWS::AccountId}:cluster/${Cluster}'
       - PolicyName: cloudwatch
         PolicyDocument:
           Statement:

ecs/service-cluster-alb.yaml

@@ -303,7 +303,7 @@ Resources:
     Type: 'AWS::IAM::Role'
     Properties:
       ManagedPolicyArns:
-      - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole'
+      - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole'
       AssumeRolePolicyDocument:
         Version: '2008-10-17'
         Statement:

ecs/service-dedicated-alb.yaml

@@ -411,7 +411,7 @@ Resources:
     Type: 'AWS::IAM::Role'
     Properties:
       ManagedPolicyArns:
-      - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole'
+      - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole'
       AssumeRolePolicyDocument:
         Version: '2008-10-17'
         Statement:

jenkins/jenkins2-ha-agents.yaml

@@ -680,7 +680,7 @@ Resources:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
           Resource:
-          - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   MasterSG:
     Type: 'AWS::EC2::SecurityGroup'
     Properties:
@@ -1601,7 +1601,7 @@ Resources:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
           Resource:
-          - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   AgentSG:
     Type: 'AWS::EC2::SecurityGroup'
     Properties:

jenkins/jenkins2-ha.yaml

@@ -600,7 +600,7 @@ Resources:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
           Resource:
-          - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   MasterSG:
     Type: 'AWS::EC2::SecurityGroup'
     Properties:

security/auth-proxy-ha-github-orga.yaml

@@ -486,7 +486,7 @@ Resources:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
           Resource:
-          - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   LaunchTemplate:
     Type: 'AWS::EC2::LaunchTemplate'
     Metadata:

security/cloudtrail.yaml

@@ -94,13 +94,13 @@ Resources:
           Principal:
             Service: 'cloudtrail.amazonaws.com'
           Action: 's3:GetBucketAcl'
-          Resource: !Sub 'arn:aws:s3:::${TrailBucket}'
+          Resource: !Sub 'arn:${AWS::Partition}:s3:::${TrailBucket}'
         - Sid: AWSCloudTrailWrite
           Effect: Allow
           Principal:
             Service: 'cloudtrail.amazonaws.com'
           Action: 's3:PutObject'
-          Resource: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:aws:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
+          Resource: !If [HasLogFilePrefix, !Sub 'arn:${AWS::Partition}:s3:::${TrailBucket}/${LogFilePrefix}/AWSLogs/${AWS::AccountId}/*', !Sub 'arn:${AWS::Partition}:s3:::${TrailBucket}/AWSLogs/${AWS::AccountId}/*']
           Condition:
             StringEquals:
               's3:x-amz-acl': 'bucket-owner-full-control'
@@ -167,7 +167,7 @@ Resources:
       IncludeGlobalServiceEvents: true
       IsLogging: true
       IsMultiRegionTrail: true
-      EventSelectors: !If [IsS3DataEvents, [{DataResources: [{Type: 'AWS::S3::Object', Values: ['arn:aws:s3:::']}], IncludeManagementEvents: true, ReadWriteType: All}], !Ref 'AWS::NoValue']
+      EventSelectors: !If [IsS3DataEvents, [{DataResources: [{Type: 'AWS::S3::Object', Values: [!Sub 'arn:${AWS::Partition}:s3:::']}], IncludeManagementEvents: true, ReadWriteType: All}], !Ref 'AWS::NoValue']
       KMSKeyId: !If [HasParentKmsKeyStack, {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyId'}, !Ref 'AWS::NoValue']
       S3BucketName: !Ref TrailBucket
       S3KeyPrefix: !Ref LogFilePrefix
@@ -184,7 +184,7 @@ Resources:
       IncludeGlobalServiceEvents: true
       IsLogging: true
       IsMultiRegionTrail: true
-      EventSelectors: !If [IsS3DataEvents, [{DataResources: [{Type: 'AWS::S3::Object', Values: ['arn:aws:s3:::']}], IncludeManagementEvents: true, ReadWriteType: All}], !Ref 'AWS::NoValue']
+      EventSelectors: !If [IsS3DataEvents, [{DataResources: [{Type: 'AWS::S3::Object', Values: [!Sub 'arn:${AWS::Partition}:s3:::']}], IncludeManagementEvents: true, ReadWriteType: All}], !Ref 'AWS::NoValue']
       KMSKeyId: !If [HasParentKmsKeyStack, {'Fn::ImportValue': !Sub '${ParentKmsKeyStack}-KeyId'}, !Ref 'AWS::NoValue']
       S3BucketName: !Ref ExternalTrailBucket
       S3KeyPrefix: !Ref LogFilePrefix

security/config.yaml

@@ -108,7 +108,7 @@ Resources:
     Type: 'AWS::IAM::Role'
     Properties:
       ManagedPolicyArns:
-      - 'arn:aws:iam::aws:policy/service-role/AWSConfigRole'
+      - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSConfigRole'
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:
@@ -125,13 +125,13 @@ Resources:
           Statement:
           - Effect: Allow
             Action: 's3:PutObject'
-            Resource: !Sub 'arn:aws:s3:::${ConfigBucket}/*'
+            Resource: !Sub 'arn:${AWS::Partition}:s3:::${ConfigBucket}/*'
             Condition:
               StringLike:
                 's3:x-amz-acl': 'bucket-owner-full-control'
           - Effect: Allow
             Action: 's3:GetBucketAcl'
-            Resource: !Sub 'arn:aws:s3:::${ConfigBucket}'
+            Resource: !Sub 'arn:${AWS::Partition}:s3:::${ConfigBucket}'
       - PolicyName: 'sns-policy'
         PolicyDocument:
           Version: '2012-10-17'
@@ -144,7 +144,7 @@ Resources:
     Type: 'AWS::IAM::Role'
     Properties:
       ManagedPolicyArns:
-      - 'arn:aws:iam::aws:policy/service-role/AWSConfigRole'
+      - !Sub 'arn:${AWS::Partition}:iam::aws:policy/service-role/AWSConfigRole'
       AssumeRolePolicyDocument:
         Version: '2012-10-17'
         Statement:

security/kms-key-legacy.yaml

@@ -46,7 +46,7 @@ Resources:
         'detail-type':
         - 'AWS API Call via CloudTrail'
         resources:
-        - !Sub 'arn:aws:${AWS::Partition}:${AWS::Region}:${AWS::AccountId}:key/${KeyId}'
+        - !Sub 'arn:${AWS::Partition}:${AWS::Partition}:${AWS::Region}:${AWS::AccountId}:key/${KeyId}'
         detail:
           eventSource:
           - 'kms.amazonaws.com'

security/kms-key.yaml

@@ -104,7 +104,7 @@ Resources:
         Statement:
         - Effect: Allow
           Principal:
-            AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
+            AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
           Action: 'kms:*'
           Resource: '*'
         - !If
@@ -189,7 +189,7 @@ Resources:
             Resource: '*'
             Condition:
               StringLike:
-                'kms:EncryptionContext:aws:cloudtrail:arn': !Sub 'arn:aws:cloudtrail:*:${AWS::AccountId}:trail/*'
+                'kms:EncryptionContext:aws:cloudtrail:arn': !Sub 'arn:${AWS::Partition}:cloudtrail:*:${AWS::AccountId}:trail/*'
           - !Ref 'AWS::NoValue'
   KeyAlias:
     DeletionPolicy: Retain

state/elasticsearch.yaml

@@ -151,7 +151,7 @@ Resources:
             AWS: '*'
           Action:
           - 'es:ESHttp*'
-          Resource: !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainName}/*'
+          Resource: !Sub 'arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${DomainName}/*'
       DomainName: !Ref 'DomainName'
       EBSOptions: !If
       - HasEBSEnabled

state/secretsmanager-dbsecret.yaml

@@ -91,7 +91,7 @@ Resources:
           Action: 'secretsmanager:DeleteSecret'
           Effect: Deny
           Principal:
-            AWS: !Sub 'arn:aws:iam::${AWS::AccountId}:root'
+            AWS: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:root'
 Outputs:
   TemplateID:
     Description: 'cloudonaut.io template id.'

static-website/static-website.yaml

@@ -188,7 +188,7 @@ Resources:
         Statement:
         - Action: 's3:GetObject'
           Effect: Allow
-          Resource: !Sub 'arn:aws:s3:::${S3Bucket}/*'
+          Resource: !Sub 'arn:${AWS::Partition}:s3:::${S3Bucket}/*'
           Principal:
             CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
         - Sid: AllowSSLRequestsOnly # AWS Foundational Security Best Practices v1.0.0 S3.5

vpc/vpc-flow-logs-s3.yaml

@@ -108,7 +108,7 @@ Resources:
     Condition: ExternalBucket
     Type: 'AWS::EC2::FlowLog'
     Properties:
-      LogDestination: !If [HasLogFilePrefix, !Sub 'arn:aws:s3:::${ExternalLogBucket}/${LogFilePrefix}/', !Sub 'arn:aws:s3:::${ExternalLogBucket}']
+      LogDestination: !If [HasLogFilePrefix, !Sub 'arn:${AWS::Partition}:s3:::${ExternalLogBucket}/${LogFilePrefix}/', !Sub 'arn:${AWS::Partition}:s3:::${ExternalLogBucket}']
       LogDestinationType: s3
       ResourceId: {'Fn::ImportValue': !Sub '${ParentVPCStack}-VPC'}
       ResourceType: 'VPC'

vpc/vpc-nat-instance.yaml

@@ -282,7 +282,7 @@ Resources:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
           Resource:
-          - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   LaunchTemplate:
     Type: 'AWS::EC2::LaunchTemplate'
     Metadata:

vpc/vpc-ssh-bastion.yaml

@@ -243,7 +243,7 @@ Resources:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
           Resource:
-          - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   LaunchTemplate:
     Type: 'AWS::EC2::LaunchTemplate'
     Metadata:

vpc/vpc-vpn-bastion.yaml

@@ -435,7 +435,7 @@ Resources:
           Action:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
-          Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          Resource: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   LaunchTemplate:
     Type: 'AWS::EC2::LaunchTemplate'
     Metadata:

wordpress/wordpress-ha-aurora.yaml

@@ -665,7 +665,7 @@ Resources:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
           Resource:
-          - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   LaunchTemplate:
     DependsOn: [DatabaseA, DatabaseB]
     Type: 'AWS::EC2::LaunchTemplate'

wordpress/wordpress-ha.yaml

@@ -798,7 +798,7 @@ Resources:
           - 'iam:ListSSHPublicKeys'
           - 'iam:GetSSHPublicKey'
           Resource:
-          - !Sub 'arn:aws:iam::${AWS::AccountId}:user/*'
+          - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:user/*'
   LaunchTemplate:
     Type: 'AWS::EC2::LaunchTemplate'
     Metadata: